Elliott Solutions Inc Active Directory Exercise - Case Study Example

Academia Research Order 728644 9th October Elliott Solutions Inc. Active Directory Exercise Introduction Elliott Solutions Inc. has recently purchased four smaller competitors, and wishes to incorporate their computer networks into the Elliott network as soon as practicable and with the minimum expenditure of time and effort. This will be done through the agency of Microsoft Active Directory (AD). Effort will also be made to optimise the amount of network traffic within the revised corporate WAN. Replication possibilities will also be considered. This exercise will therefore consist of a description of the Active Directory implementation necessary to achieve this business objective. Initial Steps To Consolidating The Networks These will be carried using an Active Directory Restructure. The domain controllers of the existing networks of the absorbed competitors will be decommissioned. The existing domains of these competitors will be designated as Organisational Units (OUs) within the consolidated scheme. The existing Elliott Solutions Domain Controller (DC) will be designated as the DC for the consolidated network. It should be noted that this DC may require a hardware upgrade in ordered to handle the increased data load and network traffic. The Restructure will commence with the use of the AD ‘dcpromo’ utility to turn the DCs of the absorbed competitors into Member Servers of the consolidated network. These Member Servers will then be re-established as lower-level DCs within the consolidated network. There will be a two-way Explicit Trust between the top-level (Elliott) and lower-level (absorbed competitors). This will be done through use of an AD external transaction. This will, in effect, allow the Elliott DC to access the absorbed competitors’ networks without conducting a data migration. This will be of especial significance as a temporary measure while the definitive consolidated network is designed and implemented. Definitive Consolidation Of Networks This will be done through a Active Directory Migration, as allowed for within the Windows 2008 Active Directory implementation. The main objective will be to consolidate the business data and Active Directory databases of Elliott and the absorbed competitors. A correctly implemented Active Directory Migration will be particularly important should one or more of the absorbed enterprises has a network that has been under the control of a Windows NT domain For the purposes of this exercise, we will presume that the Elliott DC and all the subsidiary DCs and Member Servers are part of the same Forest. The follwing specific steps will be taken. 1. The Active Directory Migration Tool (ADMT) will be used to move the user, group, and computer accounts within the existing domains (both AD and NT) of Elliott and the absorbed competitors into the consolidated Elliott AD domain. 2. The AD ‘MoveTree’ utility will be used to user objects of the components within the original domains (regarded as the same Forest for the purposes of this exercise) to within the designated Groups within the consolidated Elliott domain. 3. It may be safely assumed that there will be a large measure of object name duplication within the original domains, and that the object names within the absorbed competitors’ domains will not conform to Elliott conventions. The AD ‘Dsmove’ utility will therefore be used where appropriate to move or rename objects within a the consolidated Elliott domain. 4. It is likely that there will be appreciable moving and replacement of workstations during the consolidation. The AD User State Migration Tool (USMT) will therefore be used where appripriate to move the user profiles in question, will be containing user preferences and user documents, to the replacement workstation.. Another important component of the migration plan will be to assign new Security Identifiers that accord with Elliott naming conventions to those objects originating with the absorbed competitors. If it is decided to keep a given SID that was assigned on the old domain (notably the pre-migration Elliott domain(s)), so that permissions are not changed, you will need to preserve the Elliott SID history will be preserved. The competitors’ SID history (where this exists) will not be need to be preserved as their old domains are expected to be decommissioned. The following measures will be used during the migration to allow the staff of the former competitors in particular to carry on working during the migration. 1. When the absorbed competitors’ user accounts are moved to the new consolidated domain, the User Principal Name (UPN) suffixes will change. To allow users to continue using the previous UPN suffix, add an alternate UPN suffix to the domain using Active Directory Domains and Trusts. Then edit the user account properties to select the UPN suffix for the user account. 2. The InetOrg object in Active Directory would most likely be used to represent user accounts in the Elliott migration, but the Active Directory user class may also need to be used for this purpose. The InetOrg object will be used for this migration of users between LDAP directories within the consolidated domain Preparing the DC for the consolidated domain may well require the use of the Adprep’ utility. The purpose of using This utility will need to be used if it is necessary to prepare a forest or a domain to acknowledge and admit a new domain controller into the conciliated Elliott domain. It is assumed that this domain will be running Windows Server 2008 or if Elliott are upgrading an existing domain controller to Windows Server 2008 as part of the migration and consolidation process. As outlined above, during the migration, the absorbed competitior’s domains will be running, most likely older versions of Microsoft Server. The following operating system factors will therefore need to be considered. An existing domain controller must be running Windows 2000 SP4 or Windows Server 2003 SP1 if is desired to retain it as part of the consolidated forest in order to upgrade to Windows Server 2008 You cannot change versions cannot be changed when upgrading. For example, it is not possible to upgrade a server running Windows Server 2003 Standard edition to Windows Server 2008 Enterprise edition. Before adding the first domain controller running Windows Server 2008 to an existing Windows 2000 or Windows Server 2003 Active Directory environment (this particularly applies to the absorbed competitors‘ equipment), the forest and domain levels must be set appropriately Windows NT 4.0 domain controllers (most likely to be used by the absorbed competitors) will require the Windows 2000 Mixed functional level to be set by the system administrator. It is not possible to have NT 4.0 and 2008 domain controllers within the consolidated Elliott domain. For the purposes of the migration, all offices of the former competitors that have not been or are to be consolidated with existing Elliott offices, will need to be considered as AD Branch Offices. Each Branch Office will some degree of access to the network but will need to balance access to the consolidated network’s resources while keeping security intact. Each branch office will therefore need a localk catalog server in-house should access to the consolidated Elliott WAN fails. This will allow Branch Office users to authenticate using the catalog server. Each branch will have local resources which will be used before network resources, so each nranch will need it‘s own L|AN with a gateway to the consolidated Elliott WAN. This will improve performance and also control replication problems. Some Branch Offices may be able to use a read-only domain controller (RODC) where they do not need to make changes to any of the Active Directory objects. However, a read-write lower-level domain controller (which the appropriate DBS settings) will be needed if AD objects need to be changed by a consolidated Elliott Branch Office. A RODC will be particularly useful where if physical security cannot be assured, despite strong Access Control Policies which should have been introduced as part of the overall Elliott Information Security (IS) policy. An RODC should be seriously consider as part of the migration plan where it will reduce the amount of time it takes remote users at a given Branch Office to log on to the network. It will also improve security and access to network resources at remote sites. If a RODC is decided upon, it is expected that the domain and forest level will be standardised throughout the consolidated Elliott domain at Windows Server 2008 It must be borne in mind that a RODC can only support inbound replication.  Managing Consolidated Elliott Enterprise Network Resources In order to effectively manage the computing resources of the consolidated Elliott domain, as well as the two-way explicit Trusts implemented between the m aster and subsidiary domain controllers mentioned above, there will need to be effective implementations of the following. 1. Active Directory Federation Services in order permit access to specific Elliott applications between various Elliott offices whose staff are accessing them via a Web browser. This will be of particular use to sales staff who are using remote access through laptops. In this context, it is important that Elliott have a robust Remote Access Policy (a Company one, not an AD GPO). 2. Identity Lifecycle Manager will be needed to effectively automate the managing of managing user credentials, passwords, distribution lists, and certificates and Information Security material held on the consolidated domain. There are two other key Windows 2008 Active Directory features that are key to the best effective management of the resources that will comprise the consolidated Elliott domain. The first is Network Load Balancing (NLB) and the second is Failover Clustering. Network Load Balancing is the key to effective network traffic management. The main goal of this facility os to ensure that all servers within the consolidated Elliott domain are doing their fair share of the work, and that no one server is overloaded. It is implicitly recognised that if most or all of these servers are showing signs of overloading, more processing capacity will need to be added to the consolidated Elliott domain. To work effectively, the network load balancing imlemenation on the consolidated Elliott domain will need to have the following features:- The NLB load cluster to be implemented will have to cover all the nodes within the consolidated Elliott domain. It there are more than 32 such nodes, there will need to two or more such clusters. To implement effective NLB, the following measures will need to be taken. 1. Each node will have to maintain its own data on directly-attached storage. 2. As NLB is best suited for services with static data, goven that the data on the Elliott consolidated domain will be constantly, there wioll have to the a facility synchronize data between each of the nodes. 3. NLB convergence will need to be used to dynamically synchronize the configuration (but not the data) when nodes are added or removed will need to be closely monitored while such changes are taking place. 4. It will be advisable to implement multiple NICs to provide network redundancy for each NLB node. 5. Functionally correct and timely IIS, Terminal Services, Routing and Remote Access, and VPN access services will need to be implemented and verified.. 6. Each of the NLB cluster nodes are will need to be located in the same location., presumably the master computer room of Elliott HQ The other measure required to effective manage the computing resources of the Elliott consolidated domain is Failover Clustering, which is needed to provide redundant services to allow Elliott’s staff top continue their work in the event of a system failure. It will eliminate any single point of failure. Another server will be waiting to take over and carry with the IT requests of Elliott‘s staff. It will be necessary to create several Failover Clusters as each cluster may have only up to eight nodes. All nodes will share from a universal storage pool. Nodes will be granted access dependent upon Elliott‘s consolidated IT service requirements. For each Failover Cluster, as well as the primary nodes that will be operational on an everyday basis, there will be secondary nodes in a cluster setting are set up in a listening mode. When the active or primary node goes down, the secondary node will immediately take over. Once the failed primary node comes back online, the secondary node will go back into listening mode and allow the primary node to become the active node again. The Elliott consolidated domain Failover Clustering implementation will need to have the following features. 1. Redundancy in the form of multiple hardware and network components. 2. Common services used with Failover Clustering will need make frequent changes to data and will include SQL, DHCP, Exchange, and Certificate Services. The processing and storage features to be implemented will therefore need to take account of this. This will be impleneted in detail to allow for the growth in Elliott’s consolidated network traffic requirements, 3. Cluster nodes will be geographically dispersed in the form of at least one per Elliott consolidated office. Recovery and Maintenance Dealing with a major AD failure will require the provision of a second domain controller running a ‘mirrored’ (concurrent and up-to-date) Active Directory database, which will immediately take over in the event of failure. With proper disk mirroring, users will receive a seamless service. The primary AD database, once it returns to operation, will then be updated with the ‘mirrored’ data from the secondary database before resuming full operation. It is also important to have on-site and off-site daily backups of the whole AD database in the event of a total failure. The exact procedures to be followed in such an event (which may involve the use of a Backup Data Center) will need to be defined in the Elliott Business Continuity/Disaster Recovery (BC/DR) policy. One other facility that will need to be considered is the receipt and implementation of AD updates (both in terms of bug fixes and enhancements) from Microsoft. This will mean that the following Microsoft utilities will need to be implemented. 1. Windows Updates. This will provide updates to the operating system. There are two types of updates (both of which will be needed for optimum operation) available: critical and non-critical. Critical updates will need to be downloaded as soon as they are available, since there is the potential that Elliott’s system will be compromised if these are not installed immediately. The best way will be automatically the download the updates on a disk device and then install them at a time of Elliott’s own choosing - most likely midnight to 5am, when system use will be at it’s least. 2. Microsoft Updates, which works in the same way, but with Microsoft applications like Office rather than operating systems. 3. Windows Server Update Services (WSUS) is an application that needs to run on one of Ellliott’s consolidated domain servers server. It willdo the job of Windows Updates and Microsoft Updates above and should be automated and customized to Elliott’s specific requirements and will require a WSUS server. It will become the Company’s first line of defense against the type of problems that can occur when systems and applications are not patched and up to date. Conclusion The measures outlined above will comprise the migration plan to be implemented as part of the absorption of four small competitors by Elliott Solutions Inc. It is now up to the Board to dictate the schedule, which is expected to coincide with the overall business absorption and consolidation programme. It is, however, recommended that a temporary restructure of the domains be undertaken first, in order to allow Elliott’s to proceed while the definite migration plan is carried out. It also recommended that the necessary ‘switchovers’ be carried out outside of working hours to forestall interruptions to the workflow. Read More